Not if, but when: emerging legal liabilities for directors and officers for lapses in Information Security Governance
The Centre for Enterprise Governance is pleased to invite you to the Enterprise Governance Forum featuring guest speaker Steven Dewhurst | Semester Professor | Faculty of Law, Bond University
In a speech to the Financial Services Assurance Forum in November 2020, Geoff Summerhayes, a Member of APRA’s Executive Board, noted that “… too many boards still lack visibility or understanding of the problems, while internal audit functions can lack the specialist skills to challenge boards and management to plug urgent gaps …”. Mr Summerhayes was speaking about the growing threat of cyber crime faced by corporate Australia.
APRA regulates Australia’s largest and most sophisticated financial institutions; entities one might expect can attract the best and brightest minds to oversee them, and have the deepest resources to invest in grappling with the ever-increasing challenge of cyber-security. Mr Summerhayes’ observations ought, therefore, to raise concerns. If APRA’s regulated entities are falling well short of expectations, what can we expect of the rest of corporate Australia in this regard? Anecdotal evidence of daily lapses in the governance of information security suggests only one answer: not much.
Explaining cyber security to a board of directors has recently been described by one prominent Chief Information Security Officer as trying to teach them a new language and a complicated subject at the same time. A quarter of a century after Daniels v Anderson, which articulated a duty for directors to ensure that they understand what is going on within the company they oversee, we are confronted with a conundrum: if the law requires directors to understand an area few of them have the technical competence to grasp, how can directors protect themselves from the risk of liability for information security lapses which are now regarded as inevitable, not just possible?
In this seminar we will examine how theories of legal liability are being constructed for a management responsibility that has been hidden in plain sight until very recently, and suggest that the solution to the governance shortcomings which are an increasing concern of corporate regulators is not more regulation or to make an already complicated subject ever more complex; it is, instead, the opposite: a complicated subject like information security risk needs to be articulated by those who understand it best, in a language those who need to understand it can comprehend.
Date: Tuesday, July 13, 2021
Time: 4:00 - 5:00 pm AEST
Where: via Zoom - on registration, you will receive a confirmation which will include the webinar link and password.
Please feel free to share the invitation.
Gary Brady, Centre Director for the Centre for Enterprise Governance.
Any questions on the webinar, please do not hesitate to contact Christine Goodman via email at [email protected]